Today is the deadline set by the Department of Homeland Security for all executive branch agencies to fully adopt Domain-based Message Authentication, Reporting and Conformance (DMARC), the email authentication protocol needed to prevent phishing attacks that hijack or mimic their domains. In the past 24 hours, Agari has analyzed federal DMARC adoption on the eve of BOD 18-01 and the results are very encouraging – an overwhelming 85 percent of federal executive branch domains have implemented DMARC with 74% implement a reject policy.
According to Agari's September 2018 BOD 18-01 Progress Report, 64% of the 1,144 executive branch domains had met the mandate ahead of schedule, so it’s great to see this extra effort in the final mile. In general terms, that means these domains now fully comply with binding operational directive BOD 18-01, issued by DHS last October.
In addition to requiring domains to protect email and websites with TLS and HTTPS, the directive stipulates the use of DMARC in order to reduce the risk of fraudulent emails being sent from these official government domains, or by "lookalike" domains meant to mimic them.
This is a tremendous achievement. Especially in a day and age when we seem to live in a state of constant crisis with cybercriminals, hacktivists and foreign adversaries threatening us on a regular basis. And when fear, threats and disinformation seem to dominate every news cycle.
Indeed, it was just 12 short months ago that Jeanette Manfra, the Assistant Secretary for DHS Office of Cybersecurity and Communications (CS&C), took a bold step to turn the tide and reduce the nation’s attack surface through this ambitious email security initiative. I am pleased to celebrate this rare victory in protecting our citizens.
.Gov is a Battlefield
The importance of BOD 18-01 and the push for DMARC implementation cannot be overstated.
The effort marks the first time the federal government has put mechanisms in place to prevent cybercriminals, foreign powers or other non-state actors from sending emails that purport to come from an agency and its .gov domain, but are in fact meant to fool recipients with false information, directives, or requests for sensitive data or payments.
When you consider the damage done every day by fraudsters leveraging sophisticated social engineering tactics and domain spoofing techniques, you start to understand why businesses have lost more than $12.5 billion since 2013 due to business email compromise (BEC), phishing and other advanced email threats.
Add in messages from malicious forces impersonating personnel from DHS, the Department of Defense, the Department of Energy, and the Department of Commerce, and you start to grasp the enormous political, financial and security implications unprotected email systems represent.
First introduced in 2012, DMARC is an open standard email authentication, policy and reporting protocol use to prevent these and other forms of email-based impersonation scams.
DMARC Demystified
For those just tuning in, DMARC acts as the policy layer for email authentication technologies already widely in use, including Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
At its most essential, DMARC checks for alignment between the apparent sender (the SPF part) and the message (the DKIM part)—enabling both sending servers and receiving servers to spot scams. Using DMARC, domain owners can embed instructions, or enforcement policies, to the receiving server about what to do if there's non-alignment.
Effective today, federal agencies are required to not only have added DMARC records to each of the executive branch's 1,444 domains, but also to have set enforcement policies to the highest setting (p=reject), which instructs receiving servers to reject email that fails to demonstrate DMARC alignment.
This dramatically reduces the chances that malicious messages purporting to come from a federal government agency will ever reach their targets, whether those targets are other agencies, suppliers, businesses or consumers. As of September anyway, there was still a lot of work to do in a very short amount of time.
Defense Meets Offense
With at least 74% of federal executive branch agencies implementing the “p=reject” policy ahead of the deadline, there has been a constant increase from 42% in July to 64% in September and now 74% today. Which is “way to go, team!” territory, for sure.
There’s just one not-so-small catch: there are about 300 domains that have yet to set DMARC records to a reject policy setting and 90% are actively sending email. In September, we predicted this might represent a major roadblock to meeting the deadline, which seems to have been the case.
So, what does this mean? Here's the deal: In order to protect against outbound impersonation scams effectively, each agency must implement DMARC for each of its domains—not just the ones that they use to send email. This includes "defensive" domains, or those that could be hijacked and used to serve fraudulent email.
Based on this information, it appears that nearly a quarter of all domains that had yet to comply with BOD 18-01 are ones that are actually used for sending email. And while setting up DMARC for defensive domains is relatively straightforward, doing it for "active sender" domains can be a chore.
For instance, any team or organization allowed to send emails from that domain on behalf of the associated agency—including outside agencies and vendors—must be DMARC compliant, too.
Waiting on Bated Breath
While not impossible, getting the remaining executive branch domains fully BOD 18-01 compliant by today’s deadline is no small feat. Indeed, if anything, the whole effort demonstrates a large-scale, multi-agency initiative managed with a high level of efficiency.
We’ll know soon enough whether all executive branch agencies met full compliance by the deadline. But much remains to be done either way—including the push for DMARC adoption for non-executive branch domains, federal contractors and other businesses.
For those looking for guidance, a special DMARC Setup Guide from the Global Cyber Alliance (GCA) is available online.
But that's work for another day. For now, celebrations are in order for implementing BOD 18-01 in such a short amount of time. I’m hopeful that others will be emboldened by the success of this initiative, and will take steps to help build on this effort to turn the cybersecurity tide in our favor.
Read our DMARC adoption analysis blog One Year Later: Federal Mandate for Email Authentication Huge Success. To learn more, download a free copy of the September 2018 BOD 18-01 Progress Report